Opened 6 years ago

Closed 6 years ago

#15225 closed task (fixed)

Investigate why Atlas does not work with the medium-high security slider setting

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords:
Cc: phw, ma1 Actual Points:
Parent ID: #9387 Points:
Reviewer: Sponsor:

Description

Looking for some relays on atlas gives me

JavaScript Error!

There is a problem with your javascript environment, you may have noscript enabled on the remote onionoo backend.

using the medium-high setting of the security slider which allows only HTTPS sourced JavaScript. I wonder whether that is a subtle bug in NoScript or where it is actually going wrong. I can't believe there are HTTP JavaScript requests involved here. Looking at the browser console I only can see HTTPS ones.

In order to get it to work I have to allow NoScript globally which is not an ideal solution.

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by phw

It looks like Atlas' index page includes HTTP-sourced JS when loaded by IE:

    <!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
    <!--[if lt IE 9]>
      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->

The URL seems to support HTTPS just fine, so we can change that easily. Alternatively, IE 9 seems to be old, so I also wouldn't mind if we just dump that snippet.

comment:2 Changed 6 years ago by phw

I committed a fix and uploaded a new, temporary, version of atlas here: https://people.torproject.org/~phw/volatile/atlas/

Does this still trigger the error message?

comment:3 Changed 6 years ago by gk

Cc: ma1 added
Status: newneeds_information

Yeah, I saw that (re comment 1) and yes, it is still an issue. But the IE snippet does not get loaded in Tor Browser at all as far as I can see. The issue is a NoScript one. Here is what happens:

Consider https://atlas.torproject.org/#search/DFRIpi.
Looking at NoScript's isJSEnabled() all scripts for atlas.torproject.org get loaded. But then onionoo.torproject.org gets called to check for the DFRIpi relays. We have a window for it and enabled gets set to true due to the globalHTTPSWhitelist option. topSite is still https://atlas.torproject.org. Thus, we need to do another check

            enabled = this.isJSEnabled(topSite);

and this returns false as there is no window for https://atlas.torproject.org we pass anymore. Thus, scripts loaded from https://onionoo.torproject.org are blocked despite the site that is responsible for the call and the script is self is HTTPS-enabled.

Giorgio, does anything speak against passing the window to isJSEnabled()? (Might be needed in the iframe case, too? I have not checked that yet)

comment:4 Changed 6 years ago by ma1

https://atlas.torproject.org/#search/DFRIpi seems to work fine for me with NoScript 2.6.9.17rc2 and above, default options + globalHTTPSWhitelist.
Am I missing something?

comment:5 in reply to:  4 Changed 6 years ago by gk

Replying to ma1:

https://atlas.torproject.org/#search/DFRIpi seems to work fine for me with NoScript 2.6.9.17rc2 and above, default options + globalHTTPSWhitelist.
Am I missing something?

noscript.restrictSubdocScripting must be set to true as well to hit the problem.

comment:6 Changed 6 years ago by ma1

Please check 2.6.9.18rc3 from http://noscript.net/getit#devel thanks.

comment:7 Changed 6 years ago by gk

Resolution: fixed
Status: needs_informationclosed

That fixes the issue, thanks.

Note: See TracTickets for help on using tickets.